Hundreds of thousands could lose Internet connection July 9

In case you have not heard the news, on July 9, 2012, hundreds of thousands of computers will lose access to the Internet. This is not some hoax or urban legend, but a fact announced by the FBI.

The announcement followed the arrest of Estonian hackers from a group that had made millions of dollars using a fraud scheme that infected millions of computers worldwide with a “DNS Changer” malware that redirected legitimate commercial transactions to a series of scam Web sites. These cyber crooks created a sham company called “Rove Digital” to receive the revenue of the scam.

DNS is an acronym for a Domain Name Server, which serves somewhat like an Internet phone book, converting Web addresses, also known as domain names (such as www.theexaminer.com[2]), into an IP (Internet Protocol) address (theexaminer.com is really 50.116.108.205). Changing the Domain Name Server accessed by an infected computer is like replacing an authentic phonebook with a purloined one that has the correct names but intentionally different phone numbers. Dialing a correct phone number will connect you to a crook who pretends to be the person you called; this is what the DNS Changer malware does to an infected computer. As many as 500,000 American computers may have been infected by this DNS Changer malware, as were an estimated 4 million other computers around the world. In addition to modifying the computer’s DNS, the malware also made the infected computers vulnerable to a variety of other malware. The rogue servers were hosted in Estonia, New York and Chicago.

This scam was very lucrative to the Estonian hackers who made an estimated $14 million in illicit fees. According to the FBI, this cyber-gang started infecting computers with the DNS Changer malware in 2007, successfully infiltrating millions of computers owned by individuals, businesses, schools and colleges, and government agencies, including NASA. The malware was able to penetrate many of the antivirus products in use, and prevented the installed antivirus and operating system software from updating, which would have likely enabled the antivirus software to detect and kill the DNS Changer. Since the security software would not be updated, there would be no protection from the thousands of new viruses, worms, and Trojans that appear every day, which allowed those computers to become infected with countless additional malware programs and other threats. According to the FBI, “They were organized and operating as a traditional business but profiting illegally as the result of the malware. There was a level of complexity here that we haven’t seen before.” Since DNS Changer redirected the unsuspecting victims to rogue Internet servers, the crooks were able to manipulate the destination of the Web connections. In one example of how this scam worked, the FBI said, “When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software. Not only did the cyber thieves make money from these schemes, they deprived legitimate Web site operators and advertisers of substantial revenue.” The FBI announced the arrest of the “Rove Digital” Estonian hackers on November 9, 2011.

Since there are likely millions of computers still infected with the DNS Changer malware, the sudden shutdown of those rogue servers would have prevented the victims from accessing many of their favorite Web sites. In order to allow the infected computers to continue to access the Internet but actually reach their intended Web sites. the FBI arranged for the rogue servers to be temporarily replaced with legitimate servers, such that the victims’ Internet access is not disrupted. It is these temporary replacement Internet servers that will be shut down on July 9, meaning that anyone who still has a computer infected with DNS Changer as of that date may lose Internet access.

In order for users around the world to determine if their computers are infected with the DNS Changer malware, a consortium of academic, governmental, and private organizations created the DNS Changer Working Group (DCWG), which initially administered the servers that replaced the illicit Rove Digital servers. The DCWG consists of representatives from Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham. The Web site for the DCWG, www.dcwg.org[3], is hosted at the Georgia Institute of Technology under a research grant provided by the Office of Naval Research. The DCWG provides a quick method for users to determine whether or not their computers are infected with the DNS Changer malware. According to the DCWG, there are still 350,000 computers infected by the DNS Changer malware that are using the clean servers maintained by the DCWG that replaced the Rove Digital servers.In order to quickly and safely test if a computer has been hijacked by the DNS Changer malware, the DCWG has created 11 international servers that will report back to the user if his computer is indeed hijacked by DNS Changer; in the U.S. the link for this test is www.dns-ok.us[4]. The test can be run from any browser, and nothing is downloaded or installed on the computer during the test; it is simply a test to see if the computer is connecting to a correct IP address. The results are almost instantaneous, with a “DNS Changer Check Up” result displayed in an IP graphic; if it is green, the user is possibly free of the DNS Changer malware, but the green graphic does not certainly prove that the computer is clean. When the green display appears, it also says, “ Your computer appears to be looking up IP addresses correctly! Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers, you would have reached this site even though you are infected.” If the display is red, then it is likely that the computer is one of the many that have been compromised by DNS Changer.

For the computer that is “red,” it will be necessary to clean the DNS Changer malware and then reset your DNS. Most of the current anti-spyware products such as the free versions of SuperAntiSpyware (www.superantispyware.com[5]) and the free version of MalwareBytes (malwarebytes.org/products/malwarebytes_free) can detect and remove the DNS Changer malware, but it will still be necessary to reset your DNS in order for the Internet to properly function on your computer.Almost all ISP’s (Internet Service Providers) offer telephone support that will help the user reset the DNS to the ISP’s preferred DNS server. Gizmo’s TechSupportAlert has instructions and links on how to find the best DNS server for you (techsupportalert.com/content/how-find-best-dns-server.htm), as well as detailed instructions on how to change or reset the DNS settings on your computer (techsupportalert.com/content/how-change-dns-server.htm).

Google has a free DNS utility “Namebench” at code.google.com/p/namebench that can help the user find the fastest free DNS, with instructions on how to change your DNS at developers.google.com/speed/public-dns/docs/using . Another excellent DNS service, OpenDNS, has simple but detailed instructions on how to change your DNS at use.opendns.com. If you use Google’s Namebench to find the best combination of DNS for your computer and connection, you can use those DNS on your computer by following the instructions given on Google or OpenDNS on how to change your DNS settings; while the default DNS listed on the Google and OpenDNS instructions are excellent and totally adequate, there may be some performance improvement by using the DNS recommended by Namebench. You can always change them again later.

If you enjoy or depend on the Internet, it is imperative that you go to www.dcwg.org/detect[6] and see if your browser is connecting to a legitimate DNS. If the results are “green” you are likely (but not certainly) safe from the DNS Changer Trojan and can probably continue to use the Internet after July 9. If you are “red,” you must clean your computer of the DNS Changer malware and reset your DNS as instructed above. Regardless of “green” or “red” results, it is always a good practice to periodically scan your computer with a good third-party utility such as SuperAntiSpyware or MalwareBytes to verify that nothing slipped by your security software. Failure to check your computer prior to July 9 may mean no Internet for you on July 10.

Listen to Ira Wilsker’s weekly radio show on Mondays from 6-7 p.m. on KLVI 560AM.